http://orbit.virtualcomputer.com/forums/ Join the discussion en Thu, 09 Feb 2012 10:03:13 +0000 http://orbit.virtualcomputer.com/forums/topic/remote-kill-of-a-lost-pc#post-39 Fri, 21 Aug 2009 18:12:57 +0000 Evan Karp 39@http://orbit.virtualcomputer.com/forums/ <p>And if you don't want use 3G datanetwork you can buy just SIM card (gsm). Lowest price i found is 0.66 euro / month. With this sim card you can use remote kill.</p> <p>[Admin Note: Originally posted by Rantpe] </p> http://orbit.virtualcomputer.com/forums/topic/remote-kill-of-a-lost-pc#post-38 Fri, 21 Aug 2009 18:12:44 +0000 Evan Karp 38@http://orbit.virtualcomputer.com/forums/ <p>Maybe things are different here at "Nokialand", but wireless 3G (1-2 mb/s) is standard. Most of the laptops (lenovo) we sell have 3g module inside. You are always on-line. 3G module makes connection to network before Windows starts (from BIOS) and if you use service like Lenovo Constant Secure Remote Disable you can wipe out (or lock) hard disk immediately. </p> <p>I think this year every laptop has 3G module installed (even netbooks have it now). And now have 1-2 mb/s connections, but 5 mb/s prices are coming down rapidly (now 35 e/month unlimited). And 10 mb/s coming this year.</p> <p>I think the mobile operators all over the world will have same kind 3G connections in very near future. so why try to build something that is already here?</p> <p>[Admin Note: Originally posted by Rantpe] </p> http://orbit.virtualcomputer.com/forums/topic/remote-kill-of-a-lost-pc#post-37 Fri, 21 Aug 2009 18:12:21 +0000 Evan Karp 37@http://orbit.virtualcomputer.com/forums/ <p>It sounds like I need to double my efforts in speaking with the Cell phone providers , specifically the big global ones like T-Mobile. Interestingly for some parts of the world a very cost effective solution may well be a "pay as you go SIM" for much of Europe this is something you can get from the high street for a small cost and the top 4 providers provide free of charge to business users ( I need to check with a few but they might actually provide a normal second SIM if asked).</p> <p>The interesting part to this is that as long as the laptop has the correct slot and is able to accept the SMS , MMS or even call or data transfer then you would have no monthly tariff.</p> <p>As mentioned this is not something I have spent any time working on as until we have customers and a shipping product with someone using the feature they are unlikely to pick up the phone.</p> <p>But I think this shows that there are low cost options available in some regions.<br /> Really interesting thread though.</p> <p>Sandrijn</p> <p>[Admin Note: Originally posted by Sandrijn] </p> http://orbit.virtualcomputer.com/forums/topic/remote-kill-of-a-lost-pc#post-36 Fri, 21 Aug 2009 18:11:39 +0000 Evan Karp 36@http://orbit.virtualcomputer.com/forums/ <p>I'm liking the ideas I'm hearing. We're currently using ComputTrace on our laptops and other than a short-lived conflict with our anti-spyware app, it has worked as claimed, however we have not had a loss to test the recovery or remote wipe. The lag time between a loss and call in is a bit concern. There are plenty of free offline disk imagers available. We are looking at whole disk encryption, but they seem to require quite a bit of administrative overhead. To complicate matters, we are now faced with a new law, Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. This law *requires* data encryption on all portable devices, including laptops, pdas, smartphones, and portable storage. Quite a tall order.</p> <p>I do like the idea of using the onboard fingerprint reader. I've had good luck w/ the Lenovo's w/ TPM that I've used. I'm currently trying to get more info on PGP WDE and MS EFS using the reader. Our C-level folks will cry and pout like babies if they need to remember how to use complicated technology. If one of the fingers they registered w/ the reader suddenly turns up missing, I'm sure logging into their laptop is pretty low on their priority list.</p> <p>If the NxTop hypervisor needed a fingerprint to decrypt the image and log in, I'd love it. I also like the idea of the system to lock out the reader after too many failed attempts and keep it locked until the system calls in. </p> <p>One nice feature that PGP has is the ability to split keys. If there was a way to encrypt the system with additional administrative keys that would be great. If the administrator keys could be split so more than one admin is required to join the keys and decrypt the image, that would be fantastic.</p> <p>[Admin Note: Originally posted by tficarra] </p> http://orbit.virtualcomputer.com/forums/topic/remote-kill-of-a-lost-pc#post-35 Fri, 21 Aug 2009 18:11:13 +0000 Evan Karp 35@http://orbit.virtualcomputer.com/forums/ <p>True, not a lot of leverage otherwise. It would be nice if the cell companies offered an option to fit a cell card into a machine and tie that card to your existing account. The card could be restricted to where it could report and relay information such as location or accept remote kill commands.</p> <p>[Admin Note: Originally posted by randyf25] </p> http://orbit.virtualcomputer.com/forums/topic/remote-kill-of-a-lost-pc#post-34 Fri, 21 Aug 2009 18:10:52 +0000 Evan Karp 34@http://orbit.virtualcomputer.com/forums/ <p>I have seen some variation in the performance of the fingerprint readers. My older HP worked like a charm. My newer one sometimes requires a couple of passes. I have never actually tried to have anyone else swipe their finger on my scanner. That's an interesting experiment. I just kind of took it on faith that no one else's finger scan would work. The one thing that does scare me to death about these scanners is the amazing number of times that I shock the fingerprint scanner with static electricity when I touch it. It seems like a matter of time before it shorts out. Maybe we will see some innovative new two-factor authentication show up on laptops like facial recognition using the built-in camera.</p> <p>We will definitely pursue the wireless network kill avenue, though I agree that it is long road. We probably need more paying customers than zero in order to get any significant traction with the wireless providers.</p> <p>[Admin Note: Originally posted by Doug] </p> http://orbit.virtualcomputer.com/forums/topic/remote-kill-of-a-lost-pc#post-33 Fri, 21 Aug 2009 18:10:33 +0000 Evan Karp 33@http://orbit.virtualcomputer.com/forums/ <p>Doug -</p> <p>My experiences with fingerprint readers have been somewhat sketchy. I've had a Fujitsu tablet and a Toshiba tablet both of which had fingerprint sensors. The Fujitsu reader lasted less than a month and actually authenticated my boss as myself once (that was entertaining). It was sketchy when it did work on how many times I had to swipe my finger to process the authentication request. With my Toshiba tablet it is still working but suffers the same problem as the Fujitsu when it comes to scanning the print. It appears your experiences have been different and that's a good thing. If I had to choose an additional method it would be the two factor requirement.</p> <p>My biggest issue with the cellular solution are the coverages. Unless you went with a method that utilized a hybrid radio (ala the Blackberry World 8830) you would limit the functionality of the device. In order to gain maximum coverage you would need to choose GSM. I'd have to double check but the last time I looked I did not think Japan offered a GSM network (and there might be a few others). If you could obtain some kind of deal with a wireless company that would be an interesting option to look at further. Of course that's IF. </p> <p>As I said above it probably would be acceptable to implement a two-factor authentication mechanism for data that must truly be as secure as possible. My concern on anything keychain/smartcard protected is the proclivity of the user to simply leave that security item in the same location as the notebook it's securing. Fingerprint authentication may seem to be the most viable, it's generally quick and painless (unless the thief steals your finger too).</p> <p>Randy</p> <p>[Admin Note: Originally posted by randyf25] </p> http://orbit.virtualcomputer.com/forums/topic/remote-kill-of-a-lost-pc#post-32 Fri, 21 Aug 2009 18:10:04 +0000 Evan Karp 32@http://orbit.virtualcomputer.com/forums/ <p>Randy--thanks for the great post. I think the limitations you raise about a network-based kill are quite valid. In terms of the window of vulnerability to an authentication breach between the theft and the expiration of the "check in" period, what do you think of the idea of using some type of two-factor authentication? Forcing your users to carry around RSA tokens to access their laptops is probably a recipe for disaster, but most business laptops can be inexpensively outfitted with fingerprint readers. If NxTop could take control of the fingerprint reader and require the end-user to do a biometric swipe instead of or in addition to typing in the password, would this help address the concern you raised? I have been using fingerprint authentication for about a year on three different laptops (one Lenovo and two HPs--this is a great place to work if you like trying different laptops....), and I have had pretty good luck with it.</p> <p>Another idea we have been kicking around for a while is striking a deal with one or more of the wireless companies to gain the ability to send a "kill" signal over the wireless network. Adding the wireless data card to laptops is actually relatively inexpensive. It is the service that is expensive. What if we cut a deal for limited use of wireless networks to let PCs "phone home" to check in without a full subscription to a wireless data plan? It could be a new revenue stream for the wireless companies (like the Amazon Kindle for Sprint), and it also increases their addressable market by promoting purchases of wireless card add-ons by companies who might not have otherwise selected them when their purchased their PCs. It could still be circumvented by yanking out the hard drive, but now the bar for a kill signal bring received is extended to any case where the PC is booted up within range of a wireless tower.</p> <p>Other thoughts and suggestions?</p> <p>Thanks again Randy for stirring up the pot a bit. The more holes we find in the product and positioning now, the less will be there when we actually go try to sell it to someone.</p> <p>[Admin Note: Originally posted by Doug] </p> http://orbit.virtualcomputer.com/forums/topic/remote-kill-of-a-lost-pc#post-31 Fri, 21 Aug 2009 18:09:33 +0000 Evan Karp 31@http://orbit.virtualcomputer.com/forums/ <p>[Admin Note: This is an archived thread from the old Virtual Computer Forums.]</p> <p>Perhaps I missed this during the demo but there's been a lot of discussion on the VC blog and such concerning the ability to kill a remote PC when it goes missing. I've been thinking about it for awhile and I am wondering if this ability is a bit overstated.</p> <p>We operate in a large healthcare environment and as you can imagine deal with a large amount of data that adheres to HIPAA and more importantly the NYS Data Breach Notification Act. As a result we've gone through steps to make sure all notebooks and desktops are covered by a full disk encryption package. As part of that process we investigated the ability to render a stolen machine useless. This same process was also an issue with our handheld devices as a vast majority of physicians are utilizing their Blackberries, Windows Mobile, and Palm devices. One of the major features touted was the ability to remotely wipe/lock a device (ie. from the BES, WM Device Admin, and the encryption package we chose). </p> <p>The two primary options for securing a lost device were either through an active communications channel where the device would check in and receive a wipe command before the thief could make use of the device or by implementing a check-in requirement which would render a device useless after X days/weeks, etc. </p> <p>The problem with a check-in is that during that time period the device is susceptible to hacking attempts. Obviously the workaround is to have the device go into complete lockdown if X login attempts are unsuccessful. The reality of that option is we found that users are too stupid to understand this problem and when faced with a forgotten password (or their num lock key turned off) they would routinely "brick" their machines. We went so far as to set the threshold to 30 failed logins and still received a high enough percentage of failures that it was decided it was too much of a hassle. Especially when a high ranking executive managed to kill his notebook while on a business trip in China.</p> <p>The problem with sending a remote wipe command to a device is that it actually needs to be on a network to communicate before this will function. For the average theft this might prove useful, however we've had a multitude of stolen devices that never again checked back in with our systems. This could be because the device was destroyed when it was lost or it could be that the thieves simply hard reset the device thus destroying the data on it. Either way the bottom line is that the device never phoned home again and therefore we had no ability to remotely wipe it. I would imagine that this is even more difficult in a notebook scenario.</p> <p>In our case I don't believe we are facing a willful effort to compromise our data by individuals outside of our organization. Therefore I am sure that most thefts are those of opportunity and not those seeking to gain access to patient information, etc. Because of this we do feel adequately protected (well, the people who make the financial and operational decisions feel that way) and so we have these features although they are rarely used. </p> <p>I guess my question is that in the average environment will highlighting this feature really prove useful to the marketing of NxTop? I am sure it sounds great as those features did when various security companies were courting us to use their software, but the practicality of the feature was quickly realized in our environment. Of course as I said in the beginning perhaps I missed some cool new way VC is implementing this feature and my entire diatribe can be forgotten.</p> <p>Just trying to generate a little discussion :-)</p> <p>[Admin Note: Originally posted by randyf25] </p>